Etienne WehrlΓ©

How Gcore CDN + WAAP process traffic

Gcore WAAP flow overview

A practical mental model of the request flow and response flow when a client hits an application protected by Gcore CDN and Gcore WAAP. Hover the diagram steps for details.

Diagram: request path β†’ origin, then response path β†’ back to the client. Tip: hover nodes for tooltips.
Request flow (Client β†’ Edge β†’ WAAP β†’ Load Balancer β†’ Origin server) Response flow (Origin server β†’ WAAP β†’ Edge β†’ Client) Client CDN Edge ACL > CDN Rules > Rewrites WAAP L7 DDoS > Rules > Policies Allow > Block > Captcha > JS Load Balancer (Optional) Origin server Origin server WAAP Response rules β€’ Challenges Block / Captcha / JS pages CDN Edge Client
Note: The exact feature names and ordering can depend on your product setup, but the diagram reflects the practical β€œhow it feels” flow when troubleshooting.

Detailed Nginx processing pipeline

A deeper view into the Nginx FE/BE phases, cache decision branching, and FastEdge WASM hooks β€” useful for L2 troubleshooting and understanding exactly where each component runs.

Detailed pipeline: SSL β†’ Rewrite β†’ Access β†’ Cache decision β†’ FastEdge β†’ Response filters. Tip: hover nodes for tooltips.
Request flow (Client β†’ Nginx FE β†’ Nginx BE β†’ Cache Lookup) Client HTTPS request Nginx FE SSL termination SNI cert (LMDB) Β· JA3 Rewrite Phase WAAP: DDoS detection CDN: URI rewrite Β· cache key FastEdge: on_request_headers Access Phase WAAP: security engine Traffic profiler Β· ACL Β· auth Cache Lookup HIT β†’ serve Β· MISS β†’ forward CACHE DECISION Cache HIT Cached Response Served from cache Header Filter WAAP response decoration Body Filter WAAP JS injection Β· FE skipped β†’ Client Cache MISS β€” FastEdge configured gcdn-core-proxy FastEdge on_request_body WASM runs Origin / Shield Fetch content FastEdge WASM on_response_headers on_response_body Response Filters WAAP + CDN headers Body processing Β· Logging β†’ Client Cache MISS β€” No FastEdge Origin / Shield Direct fetch Response Filters WAAP + CDN headers Β· Logging β†’ Client Response flow (Origin β†’ FastEdge β†’ Filters β†’ Nginx FE β†’ Client) Origin Server Response payload FastEdge on_response_headers on_response_body Header Filter WAAP + CDN headers Body Filter WAAP Β· JS injection Log Phase WAAP stats Β· logging Nginx FE Client Note: Processing order and FastEdge hooks depend on resource config. Response filters (HEADER_FILTER, BODY_FILTER, LOG) always run regardless of cache status.
Legend: Nginx FE/BE WAAP Cache FastEdge Response Filters

Gcore Request Flow

  • CDN Edge: client TLS/HTTP terminates at the edge
  • Edge controls: ACL, CDN rules, rewrites
  • WAAP:
    • L7 DDoS protections (rate limiting, JavaScript DDoS gateway)
    • Rule engine (global policies + custom/advanced rules)
    • Priority: Allow > Block > Captcha > Handshake (JS validation)
  • Load Balancer: forwards allowed traffic to upstream(s)
  • Origin server: your origin app / API receives the request

Gcore Response Flow

  • Origin server: returns a response (200/4xx/5xx)
  • WAAP:
    • Response rule engine (e.g., response inspection, sensitive data exposure)
    • WAAP response pages (block/captcha/challenge) when a request is convicted
  • CDN Edge: applies caching rules (unless disabled for APIs)
  • Client: receives upstream response or WAAP challenge page

Try it live (your demo endpoints)

These are the endpoints you already use in your demo JS (/api/*), plus your existing tools pages. They’re perfect for testing WAAP actions like rate limiting, bot/JS challenge, allow/block rules, and header inspection.

API calls

Tools pages

Practical WAAP test ideas

  • Enable a rate limit on /api/ratelimit and run burst traffic from the homepage demo.
  • Create a block rule on suspicious User-Agent and validate challenge pages.
  • Test allow rules by IP (your office/VPN) vs. block for others.
  • Test header-based rules (e.g., missing Authorization β†’ block).
  • Ensure API endpoints return Cache-Control: no-store to prevent CDN caching.
The goal of this page is to quickly understand where to look when something is blocked, challenged, cached, or rewritten.